Some people (from Active Directory) cannot login anymore

Roland Niese March 30, 2015

We had the problem that suddenly, three out of hundreds of people were not able anymore to login. After entering the correct credentials, they not only saw the error "wrong username or password" but also a "internal server error occurred". And: neither atlassian-jira.log, atlassian-jira-security.log nor even catalina.out contained any single log entry that told about the error, even after raising log level to DEBUG.

Luckily we fixed the problem, resolution follows...

1 answer

1 accepted

0 votes
Answer accepted
Roland Niese March 31, 2015

For three weeks we had no clue because there were no logs. But when we edited the user directory settings in "Users" section, selected "Save and Test" and ran the test with one of the affected users, we finally got an error message: LDAP 32: Object not found

Problem: we are using Active Directory. A group had been deleted without removing the members beforehand. This left invalid references in the former group members' entries which look like:

memberOf = NameOfTheDeletedGroup\0ADEL: <some long GUID>,OU=Deleted Objects,DC=company,DC=com

Microsoft AD tools recognize such entries and hide them so our Windows Admins could not see the problem. I only could see the problem in an independent LDAP browser.

All the former members of the group could not authenticate anymore and got this strange error without logs. Solution: recover the deleted group, remove all members explicity and delete the group again.

I'm just writing this in order to give others a hint who are in a similar situation.

We are using JIRA 6.3 standalone version on a Linux machine (64-bit). We import all our users from AD.

Suggest an answer

Log in or Sign up to answer